Tageszusammenfassung - 22.10.2024

End-of-Day report

Timeframe: Montag 21-10-2024 18:00 - Dienstag 22-10-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer

News

FortiManager: Update dichtet offenbar attackiertes Sicherheitsleck ab

Ohne öffentliche Informationen hat Fortinet Updates für FortiManager veröffentlicht. Sie schließen offenbar attackierte Sicherheitslücken.

https://heise.de/-9990393

Auch ein .rdp File kann gefährlich sein

Heute wurde in ganz Europa eine Spear-Phishing Kampagne beobachtet, bei der es darum geht, dass der Empfänger ein angehängtes RDP File öffnen soll.

https://www.cert.at/de/aktuelles/2024/10/auch-rdp-file-kann-gefahrlich-sein

Security Flaw in Styras OPA Exposes NTLM Hashes to Remote Attackers

Details have emerged about a now-patched security flaw in Styras Open Policy Agent (OPA) that, if successfully exploited, could have led to leakage of New Technology LAN Manager (NTLM) hashes.

https://thehackernews.com/2024/10/security-flaw-in-styras-opa-exposes.html

Pixel perfect Ghostpulse malware loader hides inside PNG image files

The Ghostpulse malware strain now retrieves its main payload via a PNG image file's pixels. This development, security experts say, is "one of the most significant changes" made by the crooks behind it since launching in 2023.

https://go.theregister.com/feed/www.theregister.com/2024/10/22/ghostpulse_malware_loader_png/

OpenSSL 3.4.0 released

Version 3.4.0 of the OpenSSL SSL/TLS library has been released. It adds anumber of new encryption algorithms, support for "directly fetchedcomposite signature algorithms such as RSA-SHA2-256", and more. See therelease notes for details.

https://lwn.net/Articles/995098/

Akira ransomware continues to evolve

As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the groups attack chain, targeted verticals, and potential future TTPs.

https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/

Threat actor abuses Gophish to deliver new PowerRAT and DCRAT

Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor. [..] Talos discovered an undocumented PowerShell RAT we-re calling PowerRAT, as one of the payloads and another infamous Remote Access Tool (RAT) DCRAT.

https://blog.talosintelligence.com/gophish-powerrat-dcrat/

Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach

In this blog entry, we discuss how malicious actors are exploiting Docker remote API servers via gRPC/h2c to deploy the cryptominer SRBMiner to facilitate their mining of XRP on Docker hosts.

https://www.trendmicro.com/en_us/research/24/j/using-grpc-http-2-for-cryptominer-deployment.html

Web Application Security for DevOps: Site and Origin Dynamics and Cross-Site Request Forgery

This is a continuation of the series on web application security where we dive into cookie dynamics.

https://www.bitsight.com/blog/web-application-security-devops-site-and-origin-dynamics-and-cross-site-request-forgery

Vulnerabilities

VMware fixes bad patch for critical vCenter Server RCE flaw

VMware has released another security update for CVE-2024-38812, a critical VMware vCenter Server remote code execution vulnerability that was not correctly fixed in the first patch from September 2024.

https://www.bleepingcomputer.com/news/security/vmware-fixes-bad-patch-for-critical-vcenter-server-rce-flaw/

Zyxel security advisory for insufficiently protected credentials vulnerability in firewalls

The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series firewalls could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out.

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-insufficiently-protected-credentials-vulnerability-in-firewalls-10-22-2024

Security updates for Tuesday

Security updates have been issued by Debian (ffmpeg, ghostscript, libsepol, openjdk-11, openjdk-17, perl, and python-sql), Oracle (389-ds-base, buildah, containernetworking-plugins, edk2, httpd, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, python-setuptools, skopeo, and webkit2gtk3), Red Hat (buildah), Slackware (openssl), SUSE (apache2, firefox, libopenssl-3-devel, podman, and python310-starlette), and Ubuntu (cups-browsed, firefox, libgsf, and linux-gke).

https://lwn.net/Articles/995095/